There's a skeleton lurking in business environments everywhere. It's been there for years. It's not glamorous, and it doesn't make headlines like zero days. But it keeps showing up in our Security Operations Center (SOC) cases again and again.
It's Remote Desktop Protocol (RDP) that’s exposed to the internet. And it is still one of the most reliable ways for attackers to access your environment in 2026.
These are real-world stories of overlooked RDP exposures that didn't turn into full-blown security incidents because the organizations involved had already invested in resilient security programs.
Why RDP gets overlooked
The teams responsible for catching these exposures are often stretched thin.
According to a recent Huntress survey of 1,050 IT and security professionals, the most common security team sizes fall between 6–10 people (21.4%) and 11–15 people (19%). More telling: only 39.6% of organizations have a dedicated in-house cybersecurity team. Another 35% share IT and security responsibilities, and 18% rely on a single person.
That's a lot of responsibility concentrated in very few hands. And when those hands are busy, things fall through the cracks, like an exposed RDP port that got flagged six months ago but moved to the bottom of the backlog.
Alert noise makes it worse. Nearly two-thirds of respondents (64.1%) report that at least 25% of their alerts are meaningless noise. When every alert looks the same, the real ones get buried.
As Chris Henderson, Chief Information Security Officer at Huntress, puts it:
"People don't fail because they're careless. They fail because they're human, and the systems weren't designed to catch these human mistakes."
Resilient teams know they won't catch everything. They build their programs to surface oversights before attackers can do lasting damage.
Overlooked risks are cybercrime business opportunities
The gaps in the stories below aren't sophisticated. And they’re not zero day vulnerabilities. They’re just configurations probably flagged at some point, added to a backlog, and quietly forgotten.
What’s worse is that threat actors have built an entire business model around your backlog. Just like you, they’re running a profit-driven business, with communication networks, finances, and support services. They're methodical. They're organized. And just like any other legit competitor, this hidden competition will find the vulnerable thing you forgot about, like exposed RDP, and use it against you over and over again. To understand why your oversight is their opportunity, you can start here:
They’re not targeting you. They’re testing everyone.
Threat actors aren't always specifically hunting your business. In many cases, they're running automated scans across the internet, testing every possible weakness until something gives.
That's exactly what happened at a healthcare organization that had left an RDP server exposed to the public internet. The attacker didn't need sophisticated tradecraft or an exploit. They simply found the open port (typically 3389) and the intrusion began.
Security Information and Event Management (SIEM) detected the breach at the moment of initial access, and the SOC kicked out the attacker before they gained persistence.
The whole situation was entirely preventable by putting RDP behind a firewall. That one configuration change is the difference between an eyebrow-raising non-event and a business-stopping incident.
They'll come back. Especially if nothing changes.
In another case, a threat actor accessed a client environment through an exposed Remote Desktop Web Access (RDWeb) portal. RDWeb is a Microsoft component that uses RDP technology for users to securely access internal company applications or full desktops via a web browser. In this incident, the attackers brought a custom-built reverse tunnel for persistent access, with Windows and Linux builds, and automated credential-harvesting scripts running in the background.
Our SOC quickly contained the threat, shut down the attackers, and reported back to the partner.
But the next morning, the attackers returned to the same exposed RDWeb portal. It was a different compromised account, but the same entry point. They didn't need to try anything new, because nothing had changed.
The same vulnerable exposure was exploited twice because it wasn’t closed fast enough. That's the reality of overlooked risks.
They just need your tools
Exposed RDP is more than just an entry point. Once an attacker is inside, they'll use it to dig in deeper in your environment.
Our SOC caught a cybercriminal who compromised a partner's network through a vulnerable SonicWall VPN, using cheap $10 hosting infrastructure (Hostinger and Freakhosting) as a launchpad. Once inside, the attacker moved laterally and modified the firewall and registry values to enable RDP. Here are the commands this attacker used:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net stop TermService && timeout /t 2 && net start TermService
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="RDP-Open" dir=in protocol=TCP localport=3389 action=allow enable=yes
netsh advfirewall firewall add rule name="RDP-Open" dir=in protocol=TCP localport=3389 action=allow enable=yes
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
This was followed by authentication from a known malicious workstation and Advanced IP scanner for more enumeration.
This organization had the right defenses in place. Managed Endpoint Detection and Response (EDR) caught the lateral movement before the attacker could establish a foothold.
What these cases are actually telling you to do
These were opportunistic attacks. And each case points to a specific gap worth closing.
The healthcare organization with the open RDP port needed a simple configuration change: RDP behind a firewall. If you don't know whether RDP is exposed on your network, look into it today. Tools like Shodan or a basic external scan of your IP space will help. That's your starting point.
The organization that got hit twice had a different problem. The entry point was a known vulnerable exposure, and it stayed open. When an attacker accesses your environment through a specific exposure, close it and rotate the credentials associated with it before they come back. Because, as that case shows, they will.
The SonicWall case is a reminder that attackers will use your own legitimate and trusted tools. EDR is essential, but if you're not ingesting firewall and VPN logs into a SIEM, you don’t have an early warning system, and an attacker can persist in your environment for days before you see the first shady signal. Visibility across your full attack surface, not just endpoints, is what catches the things that slip through the cracks.
The bottom line across all three: these organizations were caught off guard by a common oversight, not surprised by a zero day.
Invest in resilience
Misconfigurations happen. Exposed ports get missed. Backlogs grow. The cybercrime business model moves faster than any security checklist.
Resilience isn't about preventing every mistake. It's about limiting impact and recovering quickly when oversights happen. As Eric Stride, Chief Security Officer at Huntress, says in the Huntress How to Build a Resilient Security Team for 2030 field guide:
"The goal isn't to eliminate every risk. It's to build a system your team trusts when something goes wrong."
In every incident described here, the organizations survived because they had the right layers in place to catch exposures before they became a catastrophe.
Fix the misconfigurations you know about. And make sure someone's watching for the ones you don't.
